Spurred on by a series of database breaches at U.S. retailers, Visa USA announced new fines on the merchant banks of large U.S. retailers that fail to comply with the Payment Card Industry Data Security Standard.
Spurred on by a series of database breaches at U.S. retailers, Visa USA today announced new fines on the merchant banks of large U.S. retailers that fail to comply with the Payment Card Industry Data Security Standard. Non-PCI-compliant retailers also will be ineligible for Visa’s lower-tiered interchange rates.
As part of the new program-the PCI Compliance Acceleration Program-Visa also will offer $20 million in incentives to those financial institutions if their retailers validate PCI compliance by Aug. 31 and have not been involved in a data compromise. The goal is to promote faster compliance, says Eduardo Perez, vice president of payment system risk, Visa USA.
The program targets the acquirers responsible for the largest 1,200 merchants-known as Level 1 and 2 merchants-that process more than one million Visa transactions a year and combined account for about two-thirds of Visa’s U.S. transaction volume. The initiative’s goal is to eradicate the storage of full-track data, CVV2 (card verification value) and PIN data, and grow PCI compliance among this group of merchants, Visa says.
Current PCI compliance among Level 1 merchants is at 36% and Level 2 merchants is 15%, with the majority in both levels working toward compliance, according to Visa. Visa has levied $4.6 million in fines this year, up from $3.4 million in 2005.
“We have had a number of cardholder data compromises with large merchants and small merchants and what we want to do is to ensure that our largest merchants … that present the greatest exposure to us are properly secured,” Perez says. Smaller retailers also face fines for non-compliance with the PCI standard but represent less risk to the Visa system.
Visa is targeting the merchant acquirers with the fines and incentives because Visa’s contractual relationship is with the acquirer sponsoring the retailer into the payment system, Perez says. “It’s their responsibility for ensuring their merchant’s compliance with our key security requirements,” he says.
Previously, Visa levied reactive fines against acquirers that had merchants who were compromised and not in compliance with the PCI standard, Perez says. “What’s new about this program is we’re doing it on a proactive basis,” he says. “We’re asking acquirers to confirm for us that their large merchants aren’t storing track data and that they achieved PCI compliance.”
Under the new penalties, acquirers will be fined between $5,000 and $25,000 a month for each Level 1 or Level 2 merchant that is not validated PCI compliant by Sept. 30, 2007, and Dec. 31, 2007, respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007, will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.
In addition, effective Oct. 1, 2007, merchants must prove they are PCI compliant to be eligible for the lower-tiered interchange rates available from Visa and Visa’s Interlink PIN debit program.
Under the new incentive program, the acquirers of Level 1 and 2 merchants who have validated full compliance with the PCI standard by March 31, 2007, will be eligible to receive a one-time payment for each qualifying merchant. Acquirers whose Level 1 and 2 merchants validate compliance after March 31 and prior to Aug. 31, 2007, will be eligible to receive a reduced one-time payment for each qualifying merchant.
PCI compliance is required of all merchants and other entities that store, transmit or process cardholder data. Retailers that fail to comply are subject to fines and could lose their right to accept cards.